[Shorewall-users] Ip aliasing

Marcelo Mujica mfmujic at eit.com.ar
Tue Dec 2 23:39:25 PST 2003


Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that  to another server in the DMZ. 
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized for shorewall, I can ping, and do anything from outside over this ip. The message log don`t register any action.
I follow de intructions for this faq( http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.

Thanks for your help.

Marcelo


# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
    inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
    inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff

# ip route show
172.16.1.0/24 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 
default via 200.61.163.222 dev eth0 

FILE ZONES
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks

FILE INTERFACES
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    -       
dmz     eth1    -       routeback 


FILE NAT
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
200.61.163.218  eth0:0  172.16.1.11     yes     no



FILE MASQ
eth0    eth1

FILE RULES

# Acepto DNS 
ACCEPT  $FW     net     udp     53      -
ACCEPT  dmz     net     udp     53      -
ACCEPT  dmz     $FW     udp     53      -
ACCEPT  dmz     $FW:200.61.163.217      icmp    -       -
ACCEPT  $FW     net     tcp     -       -


ACCEPT  dmz     $FW     tcp     22      
ACCEPT  dmz     $FW     udp     22      -

#Forward puerto 143,993,110,995,81,135,80
ACCEPT  net     $FW:200.61.163.217      tcp    ,143,993,110,995,81,135,80    -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80    -
ACCEPT  net     $FW:200.61.163.217      udp     143,993,110,995,81,135,80      -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80      -

#Forward puerto 25 
#ACCEPT  net     $FW:200.61.163.218      tcp     25     -
#DNAT    net     dmz:172.16.1.11 tcp     25      -      200.61.163.218
#ACCEPT  net     $FW:200.61.163.218      udp     25  -
#DNAT    net     dmz:172.16.1.11 udp     25     -

FILE POLICY
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz     net     ACCEPT  -
dmz     $FW     ACCEPT  -
$FW     net     ACCEPT  -
$FW     dmz     ACCEPT  -
net     all     REJECT  info
net     $FW     REJECT  info
all             all             REJECT          info


More information about the Shorewall-users mailing list